As you can see, this time, 16th byte keeps the 'encrypted' flag (used to be 8th), the string size is now kept in the 18th byte (used to be 9th), and the string itself starts from the byte #20 (used to be #11).

Obviously, these parameters are random. The author of this threat must be keeping all the original strings in a separate file, and then a separately executed script selects random encryption parameters and then encrypts those strings, producing the source files for compilation. This is similar to how ZeuS encrypts its strings.

Decrypting entire file is also possible by using the same tool that was suggested before. A file with the fully decrypted strings reveals interesting details.

First, the DLL contains a list of domain name substrings that are used for filtering out the websites it is interested in monitoring:

.hotmail.

gawab.com

gmail.com

live.com

mail.

maktoob.com

rocketmail.com

yahoo.co

ymail.com

Next, it contains a long list of security processes that is it designed to detect:

4gui.exe

antihook.exe

app_firewall.exe

asr.exe

authfw.exe

avgamsvr.exe

avgcc.exe

avgemc.exe

avgfwsrv.exe

avginet.exe

avgupsvc.exe

avp.exe

avpm.exe

blink.exe

blinkrm.exe

blinksvc.exe

bootsafe.exe

cclaw.exe

cdas17.exe

cdinstx.exe

clamd.exe

cmdagent.exe

configmgr.exe

cpf.exe

dcsuserprot.exe

dfw.exe

dvpapi.exe

eeyeevnt.exe

elogsvc.exe

emlproui.exe

emlproxy.exe

fameh32.exe

fch32.exe

firewall 2004.exe

fpavserver.exe

fprottray.exe

fsaua.exe

fsav32.exe

fsbwsys.exe

fsdfwd.exe

fsgk32.exe

fsgk32st.exe

fsguidll.exe

fsguiexe.exe

fsm32.exe

fsma32.exe

fsmb32.exe

fspc.exe

fspex.exe

fsqh.exe

fsrt.exe

fssm32.exe

fw.exe

fwsrv.exe

gateway.exe

icmon.exe

ike.exe

ipatrol.exe

ipcsvc.exe

ipctray.exe

jpf.exe

jpfsrv.exe

kav.exe

kavmm.exe

kpf

kpf4ss.exe

licwiz.exe

live help.exe

lpfw.exe

mpsvc.exe

netguard lite.exe

netmon.exe

nip.exe

njeeves.exe

nstzerospywarelite.exe

nvcoas.exe

nvcsched.exe

nvoy.exe

oeinject.exe

omnitray.exe

onlinent.exe

onlnsvc.exe

op_mon.exe

pcipprev.exe

pf6.exe

pfsvc.exe

pgaccount.exe

procguard.exe

pxagent.exe

pxconsole.exe

rdtask.exe

r-firewall.exe

rtt_crc_service.exe

sab_wab.exe

scanwscs.exe

sp_rsser.exe

spfirewallsvc.exe

sppfw.exe

spyhunter3.exe

spywareterminator.exe

spywareterminatorshield.exe

ssupdate.exe

superantispyware.exe

swnetsup.exe

swupdate.exe

sww.exe

tikl.exe

tinykl.exe

tray.exe

tsansrf.exe

tsatisy.exe

tscutynt.exe

tsmpnt.exe

umxagent.exe

umxcfg.exe

umxfwhlp.exe

umxlu.exe

umxpol.exe

umxtray.exe

updclient.exe

vcatch.exe

vdtask.exe

vsdesktop.exe

vsmon.exe

wsweepnt.exe

wwasher.exe

xauth_service.exe

xfilter.exe

zanda.exe

zerospyware le.exe

zerospyware lite.exe

zerospyware lite_installer.exe

zlclient.exe

zlh.exe

Now, the final exercise.

Compare the lists above to the ones reported here and try to spot 10 differences.